Overview

This topic builds upon Setting up SSSD for LDAP Failover and Configuring Form-Based Authentication and focuses on configuring extended Lightweight Directory Access Protocol (LDAP) attributes.

Prerequisites

  • SSSD 1.12.0 or later. This is available on Red Hat Enterprise Linux 7.0 and later.

  • mod_lookup_identity 0.9.4 or later.

    • The required version is not yet available on any version of Red Hat Enterprise Linux. However, compatible packages (RPMs) are available from upstream until they arrive in Red Hat Enterprise Linux.

Configuring SSSD

You need to ask System Security Services Daemon (SSSD) to look up attributes in LDAP that it normally does not care about for simple system-login use-cases. In the case of OpenShift Container Platform, there is only one such attribute: email. So, you need to:

  1. Modify the [domain/DOMAINNAME] section of /etc/sssd/sssd.conf on the authenticating proxy and add this attribute:

    [domain/example.com]
    ...
    ldap_user_extra_attrs = mail
  2. Tell SSSD that it is acceptable for this attribute to be retrieved by Apache. Add the following two lines to the [ifp] section of /etc/sssd/sssd.conf:

    [ifp]
    user_attributes = +mail
    allowed_uids = apache, root
  3. Restart SSSD:

    # systemctl restart sssd.service
  4. Test this configuration.

Configuring Apache

Now that SSSD is set up and successfully serving extended attributes, configure the web server to ask for them and to insert them in the correct places.

  1. Enable the module to be loaded by Apache. To do so, modify /etc/httpd/conf.modules.d/55-lookup_identity.conf and uncomment the line:

    LoadModule lookup_identity_module modules/mod_lookup_identity.so
  2. Set an SELinux boolean so that SElinux allows Apache to connect to SSSD over D-BUS:

    # setsebool -P httpd_dbus_sssd on
  3. Edit /etc/httpd/conf.d/openshift-proxy.conf and add the following lines inside the <ProxyMatch /oauth/authorize> section:

    <ProxyMatch /oauth/authorize>
      AuthName openshift
    
      LookupOutput Headers (1)
      LookupUserAttr mail X-Remote-User-Email (1)
      LookupUserGECOS X-Remote-User-Display-Name (1)
    
      RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER
    </ProxyMatch>
    1 Added line.
  4. Restart Apache to pick up the changes:

    # systemctl restart httpd.service

Configuring OpenShift Container Platform

Tell OpenShift Container Platform where to find these new attributes during login. To do so:

  1. Edit the /etc/origin/master/master-config.yaml file and add the following lines to the identityProviders section:

    identityProviders:
     - name: sssd
     challenge: true
     login: true
     mappingMethod: claim
     provider:
       apiVersion: v1
       kind: RequestHeaderIdentityProvider
       challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}"
       loginURL: "https://proxy.example.com/login-proxy/oauth/authorize?${query}"
       clientCA: /home/example/workspace/openshift/configs/openshift.example.com/proxy/proxyca.crt
       headers:
       - X-Remote-User
       emailHeaders: (1)
       - X-Remote-User-Email (1)
       nameHeaders: (1)
       - X-Remote-User-Display-Name (1)
    1 Added line.
  2. Launch OpenShift Container Platform with this updated configuration and log in to the web as a new user.

    You should see their full name appear in the upper-right of the screen. You can also verify with oc get identities -o yaml that both email addresses and full names are available.

Debugging Notes

Currently, OpenShift Container Platform only saves these attributes to the user at the time of the first login and does not update them again after that. So, while you are testing (and only while testing), run oc delete users,identities --all to clear the identities out so you can log in again.